Massachusetts has Written your Information Security Program

We have been closely following the Massachusetts Privacy Law and note the deadline for full compliance has been pushed back once again to March 1, 2010. Read on to learn more about the new regulations.

Recently the Commonwealth of Massachusetts enacted M.G.L. c. 93H called Security Breaches. This newly enacted law required the establishment of minimum standards necessary to safeguard personal information in both paper and electronic form. The promulgated standards, 201 CMR 17 called, Protection of Personal Information of the Residence of the Commonwealth, applies to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

The standards establish what is deemed to be personal information triggering the required implantation of 201 CMR 17. If a person defined as, a natural person, corporation, association, partnership or legal entity has the first name and last name of a Massachusetts resident along with one of the following; his or her social security number; or driver’s license; or state issued identification card; or financial information which can be either financial account number, or credit or debit card number, or access codes, or personal identification number, or password, will be required to develop, implement, and maintain a Written Information Security Program (WISP).

The WISP must be consistent with industry standards, provide for an ongoing risk assessment, and contain defined safeguards for administration, technical, and confidentiality matters. As business owners we need to examine the various methods that confidential information is stored and transmitted on and off our premises.

In the electronic world, we store and transmit data in a multiple of ways that include but are not limited to; desktop computers, notebook computers, file servers, back-up tapes, remote back-up devices, thumb drives, compact disks (CD), internal and external e-mails. We will be required to examine the various components of our computer network that include routers, switches, wireless points and remote access functionality. Other areas of concern include:

• E-mail encryption that includes attachments.
• Portable device encryption, for example notebook computers.
• Backup tape encryption.
• Password policies, including required use of complex passwords.
• Providing physical security for servers and network equipment.
• Training employees on established security measures.
• Cell phones that have connectivity to personal information.

The program complexity will vary for each business depending on the business size, resources available, amount of stored information, and the need for security and confidentiality of consumer and employee information. Each program will require the following:

1. Designate one or more employees to maintain the WISP.
2. Identify and assess reasonably foreseeable risks (Internal and external).
3. Develop security policies for keeping, accessing and transporting records.
4. Impose disciplinary measures for violations of the program.
5. Prevent access by terminated employees.
6. Verify and contractually ensure vendor compliance.
7. Limit collection to that information that is reasonably necessary to accomplish a legitimate purpose.
8. Determine where personal information is stored unless all information becomes subject to the WISP.
9. Restrict physical access to records.
10. Monitor security practices to ensure effectiveness and make changes if warranted.
11. Review the program at least annually.
12. Document responsive actions to breach.

The effective date for full compliance with 201 CMR 17 is March 1, 2010.